The European Supervisory Authorities designate critical ICT third-party providers under the Digital Operational Resilience Act (DORA)

The European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) published the list of designated critical ICT third-party providers (CTPPs) under the Digital Operational Resilience Act (DORA). This designation marks a crucial step in the implementation of the DORA oversight framework.

The list of the CTPP designated by the ESAs is accessible through this link. The designation process followed the methodology mandated by DORA. First, the ESAs collected data from the Registers of Information maintained by financial entities, which detail their contractual arrangements for ICT services.

Second, the ESAs conducted a detailed criticality assessment in cooperation with the Competent Authorities (CAs) across the EU from the banking, insurance and pensions, and securities and markets sectors. This assessment was carried out in line with the multifaceted criteria set out in DORA, which required a complete evaluation of a provider’s systemic importance, its role in supporting critical or important functions for financial entities, and the level of substitutability of its services.

Third, ICT third-party providers assessed as critical were formally notified, after which they benefitted from their right to be heard by providing a reasoned statement. The final designation decisions were adopted following a careful review of all relevant information, ensuring the integrity of the process.

The designated CTPPs provide a range of ICT services (e.g. from core infrastructure to business and data services) to financial entities of all types and sizes across the European Union, reflecting their pivotal role within the financial ecosystem.

In accordance with Article 31(9) of the Digital Operational Resilience Act, the list of designated
critical ICT third-party service providers at Union level (in alphabetic order) is the following:
− Accenture plc
− Amazon web Services EMEA Sarl
− Bloomberg L.P.
− Capgemini SE
− Colt Technology Services
− Deutsche Telekom AG
− Equinix (EMEA) B.V.
− Fidelity National Information Services, Inc.
− Google Cloud EMEA Limited
− International Business Machine Corporation
− InterXion HeadQuarters B.V.
− Kyndryl Inc.
− LSEG Data and Risk Limited
− Microsoft Ireland Operations Limited
− NTT DATA Inc.
− Oracle Nederland B.V.
− Orange SA
− SAP SE
− Tata Consultancy Services Limited

The objective of the DORA Oversight Framework, mandated to the ESAs, is to promote the sound management of ICT risk by the critical providers. Through direct oversight engagement, the ESAs will assess whether CTPPs have appropriate risk management and governance frameworks in place to ensure the resilience of the services they deliver to financial entities. This serves to mitigate risks that could impact the operational resilience of the financial sector of the EU.

The ESAs will keep engaging with CTPPs in the course of upcoming examination activities.

___________

Related content – DORA oversight